The impact of Google's decision to remove the root certificates issued by a Chinese certificate authority could hamper millions of Chrome users, particularly those in China.

That move, which Google will make in a future Chrome update, will put warnings in front of the browser's users, telling them that sites using the root and EV (Extended Validation) certificates issued by CNNIC (China Internet Network Information Center) are not to be trusted. Rather than pull the plug immediately, however, Chrome will continue to trust existing CNNIC-issued certificates "for a limited time."

Mozilla will also sanction CNNIC, but will not remove the root certificates.

Both browser makers reacted to the discovery last month by Google that CNNIC -- a nonprofit administered by an agency of the Chinese government -- issued an intermediate certificate to an Egyptian company, MCS Holdings. The latter then used its CNNIC-provided certificate to generate unauthorized digital certificates for several Google domains.

Although MCS Holdings claimed that its actions were the result of "human error" and Google confirmed it had seen no signs of abuse -- interception of encrypted traffic or a phishing attack, for example -- the two browser makers lowered the boom, citing violations of their respective policies regarding certificates.

It's unclear how many domains use certificates issued by CNNIC, or the number of those encrypted by intermediary certificates that rely on the CNNIC root. Mozilla pegged the number of the former at just over 700, with 68% using the .cn Top Level Domain (TLD).

Chrome's China share was immense compared to Mozilla's Firefox, which was dumped in the "Other" bucket by Baidu and registered at just 4.6% in StatCounter's measurement for March.

After Google removes the CNNIC root certificate from Chrome, users who try to reach an encrypted site secured with a CNNIC-issued certificate will see a warning that the domain is unsafe. Some may disregard the alert and click through -- a bad habit to pick up -- others may assume that they're reached a malicious website.

The result: Confusion all around.

Not surprisingly, CNNIC didn't care for Google's punishment. "The decision that Google has made is unacceptable and unintelligible," the organization said in a Thursday statement.

CNNIC may be a small player in the certificate authority (CA) space -- it's not among the seven largest that comprise the CA Security Council, for instance, which includes Comodo, Entrust, GoDaddy and Symantec -- but it is a powerhouse within China. One of its primary duties is to administer the massive .cn TLD.

The Chinese government may retaliate if CNNIC cannot satisfy Google and the two end up at loggerheads, contended one expert.

"They could ban Chrome from government computers," said Adam Segal, a senior fellow at the Council on Foreign Relations and the director of the organization's digital and cyberspace policy program. "It would be much more difficult to do that on [consumer and business computers], but they could block access to downloading Chrome in the future."

China has gotten into a habit of striking back at U.S. and Western European companies that irk the government, Segal noted, especially when officials can point people to a home-grown substitute. There are no realistic replacements for U.S.-made browsers, though: The leading domestic browser, Sogou, accounted for less than 5% in March, Baidu's stats showed. So the response may not be aimed at Chrome, for fear of further disrupting the country.

"I suspect that if they wanted to go after Google, they may not go directly after Chrome," Segal said. "They have lots of other tools. They could hold up licenses for Android [smartphones], for example."

It may not come to that, as both Google and Mozilla have said that CNNIC may reapply for trusted status after changing its practices.

There's nothing wrong with those demands, said John Pescatore, director of emerging security trends at the SANS Institute. "Browser makers have the right to say 'If you screw up, you need to go through this again,'" Pescatore argued. "I think it's a good thing that CAs do that."

But Pescatore cautioned that browser makers must be fair, not assign what he called a "one-strike" rule against CNNIC while giving others, say a U.S.-based CA like Symantec's VeriSign, three strikes before dropping the same hammer.

"From the point of view of North America and Western Europe, we have very good reasons for suspecting Chinese organizations, because they're often extensions of the government, who we know spies on its citizens," said Pescatore. "But outside the U.S. and Europe, many people say the same things about Google, Microsoft and Apple, that after the Snowden disclosures, they're extensions of the U.S. government, or have been compromised by the government."

While Pescatore declined to speculate on specific actions China's government might take, he likened any potential payback as analogous to a trade war, where a move by one side generates an eye-for-an-eye response.

"If the U.S. says it's going to test beef coming from China, then China will say it will test the beef that comes from the U.S.," Pescatore said. "And like in a trade war, [retaliation] could create blowback completely unrelated to browsers, perhaps problems for some other U.S. company that's negotiating in China."

This story, "Google's cert sanction may hamper browsing, trigger China retaliation" was originally published by
Computerworld.